Claims 



WHAT IS CLAIMED IS: 



1 1 . A method for generating temporarily assigned identity information, 

2 comprising: 

3 authenticating identity information associated with a request received from a 

4 requestor for accessing a service; 

5 generating temporarily assigned identity information for the requestor; 

6 updating a protected identity directory with the temporarily assigned identity 

7 information; and 

8 transmitting the request and the temporarily assigned identity information to 

9 the service on behalf of the requestor, wherein the service accesses the protected 

10 identity directory with the temporarily assigned identity information to authenticate 

1 1 the requestor for access. 

1 2. The method of claim 1 further comprising: 

2 generating a mapping between the identity information and the temporarily 

3 assigned identity information; and 

4 storing the mapping in a local identity mapping store. 

1 3. The method of claim 2 further comprising, synchronizing the local identity 

2 mapping store and the mapping with one or more addition local identity mapping 

3 stores. 

1 4. The method of claim 1 wherein the generating further includes assembling 

2 an aggregate identity configuration for the requestor from one or more authoritative 

3 identity stores before generating the temporarily assigned identity information. 

1 5. The method of claim 1 further comprising, removing the temporarily 

2 assigned identity information from the protected identity directory after detecting a 
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4 



terminating event that terminates the authenticity of the temporarily assigned 
identity information. 



1 6. The method of claim 5 further comprising recycling a storage space 

2 occupied by the temporarily assigned identity information for use in a subsequent 

3 iteration of the method. 



1 7. The method of claim 1 further comprising: 

2 detecting dynamic changes made on at least a portion of the identity 

3 information, wherein the changes are detected within the protected identity 

4 directory; and 

5 synchronizing the temporarily assigned identity information with the 

6 changes. 

1 8. The method of claim 1 further comprising: 

2 detecting dynamic changes made on at least a portion of the identity 

3 information, wherein the changes are detected within the protected identity 

4 directory; and 

5 synchronizing the changes with one or more authoritative identity stores 

6 impacted by the changes. 



1 9. The method of claim 1 further comprising: 

2 detecting changes made on at least a portion of the identity information, 

3 wherein the changes are detected within the protected identity directory; and 

4 logging the changes for subsequent update with one or more authoritative 

5 identity stores impacted by the changes. 

1 10. A method for generating temporarily assigned identity information, 

2 comprising: 

3 acquiring a request for a service; 

4 authenticating the request; 
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5 compiling an identity configuration for the request; 

6 generating temporarily assigned identity information for the request using 

7 the identity configuration; and 

8 transmitting the temporarily assigned identity information and the request to 

9 the service. 

1 11. The method of claim 10 wherein the intercepting further includes, 

2 intercepting the request, where the request originates from a requestor's service over 

3 an insecure network. 

1 12. The method of claim 10 wherein the transmitting further includes, 

2 transmitting the temporarily assigned identity information and the request to the 

3 service within a secure network. 

1 13. The method of claim 10 further comprising accessing, by the service, a 

2 protected identity directory to authenticate the request using the temporarily 

3 assigned identity information. 

1 14. The method of claim 10 further comprising: 

2 acquiring an additional request issued from a same-requestor that is 

3 associated with the request, wherein the additional request is for an additional 

4 service; 

5 authenticating the additional request; and 

6 transmitting the temporarily assigned identity information and the additional 

7 request to the additional service. 

1 15. The method of claim 10 further comprising, forcing the temporarily assigned 

2 identity information to expire upon detection of a terminating event. 

1 16. The method of claim 10 wherein the compiling further includes aggregating 

2 identity policies from one or more authoritative identity stores, wherein the identity 
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3 policies are associated with a requestor that issued the request for the service. 

1 17. An identity information management system, comprising: 

2 a proxy server that intercepts requests made for services, wherein the 

3 requests are associated with requestors; 

4 a local identity mapping store for housing mappings between temporarily 

5 assigned identity information and identity configurations, the temporarily assigned 

6 identity information and the identity configurations are generated from identity 

7 information provided with the requests; and 

8 a protected identity directory updated with the temporarily assigned identity 

9 information and accessed by the services in order to authenticate the requests, 

10 wherein the requests and the temporarily assigned identity information are 

1 1 transmitted to the services on behalf of the requestors. 

1 18. The identity information management system of claim 1 7 further comprising 

2 a local identity mapping store synchronizer that synchronizes the mappings in the 

3 local identity mapping store with one or more additional local identity mapping 

4 stores. 

1 1 9. The identity information management system of claim 1 7 wherein the local 

2 identity mapping store, the protected identity mapping store, and the services are 

3 accessible from a secure network. 

1 20. The identity information management system of claim 1 7 wherein the 

2 identity configurations are generated from one or more authoritative data stores 

3 associated with the requestors. 

1 21. The identity information management system of claim 1 7, wherein the 

2 identity information includes at least one of an identification, a password, a 

3 certificate, a token, a biometric value, a hardware value, a network connection 

4 value, and a time value. 
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1 22. The identity information management system of claim 17, the temporarily 

2 assigned identity information is monitored and removed them from the protected 

3 identity directory and the local identity mapping store when terminating events are 

4 detected. 

1 23. The identity information management system of claim 1 7, wherein the 

2 temporarily assigned identity information is randomly or deterministically 

3 generated. 

1 24. The identity information management system of claim 17, a storage space 

2 associated with the temporarily assigned identity information is recycled or reused. 

1 25. A data store residing in a computer-readable medium, for managing identity 

2 information, the data store comprising: 

3 identity configuration information generated in response to a request made 

4 from a requestor for a service; and 

5 temporarily assigned identity information generated for the identity 

6 configuration and used by the service for authenticating the requestor. 

1 26. The data store of claim 25 further comprising a mapping that links the 

2 identity configuration with the temporarily assigned identity information, wherein 

3 the mapping is accessed for transmitting the temporarily assigned identity 

4 information along with the request to the service on behalf of the requestor. 

1 27. The data store of claim 26 wherein the mapping is accessed for purposes of 

2 updating a protected identity directory that is accessed by the service in order to 

3 authenticate the request by using the temporarily assigned identity information. 

1 28. The data store of claim 26 wherein the identity configuration, the 

2 temporarily assigned identity information, and the mapping are shared and managed 
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3 within the data store by a managing service and at least one additional service. 

1 29. The data store of claim 26 wherein the mapping is cached and accessible for 

2 subsequent uses. 

1 30. The data store of claim 26 wherein the mapping includes a collection of 

2 additional identity information which is not part of the identity information sent to 

3 the requestor. 

1 31. The data store of claim 25 wherein the temporarily assigned identity 

2 information is a subset of identity information associated with the requestor. 

3 32. The data store of claim 25 wherein the data store is a local identity mapping 

4 data store managed by a managing service and the data store is synchronized with 

5 another identity mapping store that is managed by another service. 

1 33. The data store of claim 25 wherein the data store cannot be directly accessed 

2 by the service. 

1 34. The data store of claim 25 wherein the data store is directly accessed by the 

2 service. 
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